Using Application Level Gateways with NAT
ErrorMessage : Error while constructing the Hinav

null
Downloads: This chapterpdf (PDF - 254.0KB) | Feedback

Using Application Level Gateways with NAT

Table Of Contents

Using Application Level Gateways with NAT

Finding Feature Information

Contents

Prerequisites for Using Application Level Gateways with NAT

Information About Configuring Application Level Gateways with NAT

Application Level Gateway

NAT Support for Application Level Gateways in Cisco IOS XE Software

Benefits of Configuring NAT IPsec

IP Security

SPI Matching

NAT Support of Skinny Client Control Protocol

NAT vTCP ALG Support

NAT NetBIOS ALG Support

NAT RCMD ALG Support

NAT RTSP ALG Support

NAT Support for SIP—Voice and Multimedia over IP Networks

NAT ALG—SIP REFER Method

NAT ALG—SIP Trunking Support

NAT SIP Extended Methods

NAT SCCP Video Support

NAT Basic H.323 ALG Support

NAT H.323 RAS

NAT NetMeeting Directory (LDAP)

NAT DNS ALG Support

NAT ICMP ALG Support

NAT FTP ALG Support

NAT TFTP ALG Support

How to Configure Application Level Gateways with NAT

Configuring IPsec Through NAT

Restrictions

Configuring IPsec ESP Through NAT

Enabling the Preserve Port

Restrictions

Disabling SPI Matching on the NAT Device or Changing the Default Port

Prerequisites

Restrictions

Enabling SPI Matching on the Endpoints

Prerequisites

Restrictions

Configuring NAT Between an IP Phone and Cisco CallManager

Configuration Examples for Using Application Level Gateways with NAT

Example: Configuring IPsec ESP Through NAT

Example: Enabling the Preserve Port

Example: Enabling SPI Matching

Example: Configuring SPI Matching on the Endpoint Routers

Example: Configuring NAT Between an IP Phone and Cisco CallManager

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Using Application Level Gateways with NAT


Using Application Level Gateways with NAT


First Published: May 2, 2005
Last Updated: November 24, 2010

This module describes the basic tasks to configure an Application Level Gateway (ALG) with Network Address Translation (NAT). This module also provides information about the protocols that use ALG for IP header translation.

NAT performs translation service on any TCP/UDP traffic that does not carry source and destination IP addresses in the application data stream. These protocols include HTTP, TFTP, telnet, archie, finger, Network Time Protocol (NTP), Network File System (NFS), and remote copy (rcp).

Specific protocols that do embed the IP address information within the payload require support of an ALG. Cisco IOS XE NAT requires a variety of ALGs to handle application data stream (Layer 7) protocol-specific services such as translating embedded IP addresses and port numbers in the packet payload and extracting new connection/session information from control channels.

NAT supports virtual routing and forwarding (VRF) for protocols that have a supported ALG.

The Support for IPsec ESP Through NAT feature provides the ability to support multiple concurrent IPsec Encapsulating Security Payload (ESP) tunnels or connections through a Cisco IOS XE NAT device configured in Overload or Port Address Translation (PAT) mode.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Using Application Level Gateways with NAT" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Using Application Level Gateways with NAT

Information About Configuring Application Level Gateways with NAT

How to Configure Application Level Gateways with NAT

Configuration Examples for Using Application Level Gateways with NAT

Additional References

Feature Information for Using Application Level Gateways with NAT

Prerequisites for Using Application Level Gateways with NAT

Before performing the tasks in this module, you should be familiar with the concepts described in the "Configuring NAT for IP Address Conservation" module.

All access lists required for use with the tasks in this module should be configured prior to beginning the configuration task.

Before performing the tasks in this module, you should verify that Session Initiation Protocol (SIP) and H.323 are not disabled. SIP and H.323 are enabled by default.

Information About Configuring Application Level Gateways with NAT

Application Level Gateway

NAT Support for Application Level Gateways in Cisco IOS XE Software

Application Level Gateway

An ALG is an application that translates IP address information inside the payload of an application packet.

Cisco IOS XE NAT performs translation service on any TCP/UDP traffic that does not carry the source and destination IP addresses in the application layer data stream. Specific protocols or applications that do embed IP address information require support of an ALG.

See the NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers matrix for a table that summarizes NAT and Firewall ALG feature support on Cisco ASR 1000 Series Aggregation Services Routers in Cisco IOS XE Release 2.1 and later releases.

NAT Support for Application Level Gateways in Cisco IOS XE Software

The following section provides information on NAT support for ALGs in Cisco IOS XE software.

The features described in the following subsections are enabled by default unless otherwise noted; no configuration is necessary:

Benefits of Configuring NAT IPsec

IP Security

SPI Matching

NAT Support of Skinny Client Control Protocol

NAT vTCP ALG Support

NAT NetBIOS ALG Support

NAT RCMD ALG Support

NAT RTSP ALG Support

NAT Support for SIP—Voice and Multimedia over IP Networks

NAT ALG—SIP REFER Method

NAT ALG—SIP Trunking Support

NAT SIP Extended Methods

NAT SCCP Video Support

NAT Basic H.323 ALG Support

NAT H.323 RAS

NAT NetMeeting Directory (LDAP)

NAT DNS ALG Support

NAT ICMP ALG Support

NAT FTP ALG Support

NAT TFTP ALG Support

Benefits of Configuring NAT IPsec

NAT enables customers to deploy private IP addresses within their network and perform translation to public IP addresses when connecting to the Internet or interconnecting with another corporate network.

Normally ESP entries in the translation table are delayed from being transmitted until a reply is received from the destination. With predictable security parameter indexes (SPIs) and SPI matching, the delay can be eliminated because the SPI entries are matched. Some third-party concentrators require both the source and incoming ports to use port 500. Use of the preserve-port keyword with the ip nat service command preserves the ports rather than changing one, which is required with regular NAT.

IP Security

IPsec is a set of extensions to the IP protocol family in a framework of open standards for ensuring secure private communications over the Internet. Based on standards developed by the IETF, IPsec ensures confidentiality, integrity, and authenticity of data communications across the public network and provides cryptographic security services.

Secure tunnels between two peers, such as two routers, are provided and decisions are made as to which packets are considered sensitive and should be sent through these secure tunnels, and which parameters should be used to protect these sensitive packets by specifying characteristics of these tunnels. When the IPsec peer receives a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.

IPsec using ESP can pass through a router running NAT without any specific support from it as long as Network Address Port Translation (NAPT) or address overloading is not configured.

There are a number of factors to consider when attempting an IPsec VPN connection that traverses a NAPT device that represents multiple private internal IP addresses as a single public external IP address. Such factors include the capabilities of the VPN server and client, the capabilities of the NAPT device, and whether more than one simultaneous connection is attempted across the NAPT device.

There are two possible methods for configuring IPsec on a router with NAPT:

Encapsulate IPsec in a Layer 4 protocol such as TCP or UDP. In this case, IPsec is sneaking through NAT. The NAT device is unaware of the encapsulation.

Add IPsec specific support to NAPT. IPsec works with NAT in this case as opposed to sneaking through NAT. The NAT Support for IPsec ESP—Phase II feature provides support for Internet Key Exchange (IKE) and ESP without encapsulation in tunnel mode through a Cisco IOS XE router configured with NAPT.

The recommended protocols to use when conducting IPsec sessions that traverse a NAPT device are TCP and UDP, but not all VPN servers or clients support TCP or UDP.

SPI Matching

SPI matching is used to establish VPN connections between multiple pairs of destinations. NAT entries will immediately be placed in the translation table for endpoints matching the configured access list.

NAT Support of Skinny Client Control Protocol

Cisco IP phones use the SCCP to connect with and register to Cisco CallManager.

To be able to deploy Cisco IOS XE NAT between the IP phone and Cisco CallManager in a scalable environment, NAT needs to be able to detect the SCCP and understand the information passed within the messages. Messages flow back and forth that include IP address and port information used to identify other IP phone users with which a call can be placed.

The SCCP client to Cisco CallManager communication typically flows from inside to outside. DNS should be used to resolve the Cisco CallManager IP address connection when the Cisco CallManager is on the inside (behind the NAT device), or static NAT should be configured to reach the Cisco CallManager in the inside.

When an IP phone attempts to connect to the Cisco CallManager and it matches the configured NAT rules, NAT will translate the original source IP address and replace it with one from the configured pool. This new address will be reflected in the Cisco CallManager and be visible to other IP phone users.

NAT vTCP ALG Support

Cisco IOS XE NAT provides Virtual TCP (vTCP) support to handle TCP segmentation and reassembling for ALG. When a Layer 7 protocol uses TCP for transportation, the payload can be segmented due to various reasons, such as Maximum Segment Size (MSS), application design, and TCP window size. Proper recognition of these TCP segments is required to perform the parsing. Therefore, a generic framework called vTCP is used by various ALGs to tackle TCP segmentation.

Some of the applications such as SIP and NAT require the entire payload to rewrite the embedded data. In addition, ALGs are not developed to consider the data splitting between the packets that is required for the firewall. Therefore, vTCP is also required for the firewall without any changes to the current ALGs. NAT and the firewall ALG configuration activate the vTCP configuration.

vTCP does not support the data channel traffic. To protect system resources, vTCP does not support reassembled messages larger than 8 KB.

NAT ALG—vTCP for SIP

Cisco IOS XE Release 3.2S supports the NAT ALG—vTCP for SIP feature. With the introduction of vTCP support for SIP, the individual TCP segments will be chained together to form a complete SIP message and passed to the SIP parser. vTCP also supports ACK and reliable transmission of buffered data. ACK is a SIP method that is used to acknowledge that the received message is valid and accepted.

The NAT ALG—vTCP for SIP feature does not support:

Data channel traffic.

Reassembled Layer 7 messages that are larger than 8 KB.

TCP segments that are larger than 8 KB.

vTCP SIP trunk calls.

NAT NetBIOS ALG Support

Cisco IOS XE NAT application awareness includes support for Network Basic Input Output System (NetBIOS) applications. A NetBIOS ALG translates IP addresses and port numbers embedded in the NetBIOS packets when a NAT mapping is processed. The NAT NetBIOS ALG Support feature introduces the show platform hardware qfp [active | standby] feature alg statistics netbios command to display NetBIOS-specific information for a router and the match protocol netbios command to configure network-based application recognition (NBAR) to match for NetBIOS traffic.

NAT RCMD ALG Support

Cisco IOS XE NAT application awareness includes support for the remote command execution service (RCMD) applications remote login (rlogin), remote shell (rsh) protocol, and remote execution (rexec). A RCMD ALG translates IP addresses and port numbers embedded in these RCMD application packets when a NAT mapping is processed. The NAT RCMD ALG Support feature introduces the show platform software trace message process qfp active command to display RCMD-specific information for a router.

NAT RTSP ALG Support

Cisco IOS XE NAT application awareness includes support for Real-Time Streaming Protocol (RTSP) applications. An RTSP ALG translates IP addresses and port numbers embedded in the RTSP packets when a NAT mapping is processed.

NAT Support for SIP—Voice and Multimedia over IP Networks

SIP is a protocol developed by the IETF Multiparty Multimedia Session Control (MMUSIC) Working Group. The Cisco SIP functionality equips Cisco routers to signal the setup of voice and multimedia calls over IP networks. SIP provides an alternative to H.323 within the VoIP internetworking software.

Session Description Protocol (SDP) is a protocol that describes multimedia sessions. SDP may be used in SIP message bodies to describe multimedia sessions used for creating and controlling multimedia sessions with two or more participants.

The NAT Support for SIP feature allows SIP embedded messages passing through a router configured with NAT to be translated and encoded back to the packet. An ALG is used with NAT to translate the SIP messages.


Note By default, support for SIP is enabled on port 5060. Therefore, NAT-enabled devices interpret all packets on this port as SIP call messages. If other applications in the system use port 5060 to send packets, the NAT service may corrupt the packet as it attempts to interpret the packet as a SIP call message.


NAT ALG—SIP Multiple Media Line Support

The NAT ALG—SIP Multiple Media Line Support feature supports a maximum of five media lines in SDP. These media lines can be a combination of audio, video, and data.

SDP describes multimedia sessions. A media session description includes the media type, the transport port to which the media stream is sent, the transport protocol, and the media format. All media descriptions start with the media line attribute "m=" and terminate at the end of the session description. There can be multiple media lines depending on the services supported by the SIP peers.

The NAT ALG—SIP Multiple Media Line Support feature uses the transport port information in the media description to create a door for NAT. Doors are transient structures that allow incoming traffic that matches a specific criterion. A door is created when there is not enough information to create a complete NAT session entry. A door contains information about the source and destination IP address and the destination port. However, it does not have information about the source port. When media data arrives, the source port information is known and the door is promoted to a real NAT session.

When a door receives information about the source IP address, destination IP address, source port, destination port, and protocol from the incoming packet, it will change itself from a door to a full NAT session. A door and a full NAT session are saved in different databases. When a door becomes a full NAT session, the door entry is removed from the door database and a new NAT entry is added to the NAT session database.

NAT ALG—SIP REFER Method

The NAT ALG—SIP REFER Method feature is used for call transfers. A REFER message is used to refer to a peer. The REFER method indicates that the recipient of a call, identified by a request Uniform Resource Identifier (URI) must contact a third party using the contact information provided in the request.

The NAT ALG—SIP REFER Method feature supports two types of call transfers, unattended (blind) transfer and attended (consultative) transfer. For more information on call flows, see the SIP Call Flows document.

NAT ALG—SIP Trunking Support

A SIP trunk is a direct connection of an IP PBX to a service provider over an IP network using SIP. There can be numerous concurrent calls in a SIP trunk. During the call setup process, all these calls use the same control channel for call establishment. More than one call uses the same control channel for call setup. Using the same control channel by more than one call confuses the stateful information stored in the control channel session. The SIP stateful information consists of the media channel information such as IP address and port number used by client/server endpoints to send media data. The media channel information is used to create a door for the data channel in NAT. Because multiple calls use the same control channel for call setup, there will be multiple sets of media data. The NAT ALG—SIP Trunking Support feature uses a local database to store all the media-related information within a SIP trunk. Call IDs of each call are used to index this local database.

TCP segmentation in a SIP trunk can cause unexpected behavior that includes packet drops, TCP reset, and slow response.

NAT SIP Extended Methods

Cisco IOS XE NAT supports extended methods for SIP.

NAT SCCP Video Support

Cisco IOS XE NAT provides Skinny Call Control Protocol (SCCP) message translation support.

NAT Basic H.323 ALG Support

H.323 is a recommendation published by ITU-T defining a series of network elements and protocols for multimedia transmission through packet-based networks. H.323 defines a number of network elements used in the multimedia transmission:

H.323 Terminal—This element is an endpoint in the network providing two-way communication with another H.323 terminal or gateway.

H.323 Gateway—This element provides a protocol conversion between H.323 terminals and other terminals that do not support H.323.

H.323 Gatekeeper—This element provides services like address translation, network access control, and bandwidth management and account for H.323 terminals and gateways.

The core protocols described by the H.323 specification are the following:

H.225—This protocol describes call signaling methods used between any two H.323 entities to establish communication.

H.225 Registration, Admission, and Status (RAS)—This protocol is used by the H.323 endpoint and gateway for address resolution and admission control services.

H.245—This protocol is used for exchanging the capabilities for multimedia communication and for opening and closing of logical channels for audio, video, and data channels.

In addition to the protocols listed, the H.323 specification describes the use of various IETF protocols like the Real Time Transport (RTP) protocol and audio (G.711, G.729, and so on) and video (H.261, H.263, and H.264) codecs.

Cisco IOS XE NAT requires a variety of ALGs to handle Layer 7 protocol-specific services such as translating embedded IP addresses and port numbers in the packet payload and extracting new connection/session information from control channels. The H.323 ALG performs these specific services for H.323 messages.

NAT H.323 RAS

Cisco IOS XE NAT supports all H.225 and H.245 message types, including those sent in the RAS protocol. RAS provides a number of messages that are used by software clients and VoIP devices to register their location, request assistance in call setup, and control bandwidth. The RAS messages are directed toward an H.323 gatekeeper.

Some RAS messages include IP addressing information in the payload, typically meant to register a user with the gatekeeper or learn about another user already registered. If these messages are not known to NAT, they cannot be translated to an IP address that will be visible to the public.

In Cisco IOS XE Release 2.4 and later releases, H.225 RAS (v2 and v4) messages can be inspected for potential translation. Prior to Cisco IOS XE Release 2.4, NAT did not support H.225 RAS messages.

NAT NetMeeting Directory (LDAP)

Cisco IOS XE NAT provides ALG support for NetMeeting directory Lightweight Directory Access Protocol (LDAP) version 2 and version 3 messages.

Users have the ability to establish calls/connections between each other directly or through a NetMeeting directory. NetMeeting implements a series of LDAP messages for users to register themselves and perform lookups of other NetMeeting users against the directory. These messages include IP address information.

Before a NAT device can use a NetMeeting directory, NAT needs to understand the LDAP messages and perform standard NAT processing against the IP address information within these messages.

NAT DNS ALG Support

Cisco IOS XE NAT application awareness includes support for the Domain Name System (DNS). An ALG translates IP addresses and port numbers embedded in the DNS payload when a NAT mapping is processed.

NAT ICMP ALG Support

Cisco IOS XE NAT application awareness includes translation support for the Internet Control Message Protocol (ICMP). An ALG translates data embedded in the ICMP payload when a NAT mapping is processed.

NAT FTP ALG Support

Cisco IOS XE NAT application awareness includes support for the FTP. An FTP ALG performs translation for the IP addresses and TCP port information embedded in the payload of an FTP control session.

NAT TFTP ALG Support

Cisco IOS XE NAT application awareness includes support for the TFTP. A TFTP ALG creates a path for the TFTP data to traverse the NAT-enabled router.

How to Configure Application Level Gateways with NAT

This section contains the following procedures:

Configuring IPsec Through NAT (required)

Configuring NAT Between an IP Phone and Cisco CallManager (required)

Configuring IPsec Through NAT

To successfully configure ALGs with NAT, you should understand the following concepts:

Benefits of Configuring NAT IPsec

IP Security

SPI Matching

This section contains the following tasks related to configuring IPsec through NAT:

Configuring IPsec ESP Through NAT (required)

Enabling the Preserve Port (optional)

Disabling SPI Matching on the NAT Device or Changing the Default Port (required)

Enabling SPI Matching on the Endpoints (required)

Restrictions

NAT will translate only embedded IP version 4 addresses.

The multicast gatekeeper discovery mechanism is not supported.

Configuring IPsec ESP Through NAT

IPsec ESP through NAT provides the ability to support multiple concurrent IPsec ESP tunnels or connections through a Cisco IOS XE NAT device configured in Overload or PAT mode.

Perform this task to configure IPsec ESP through NAT.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip nat [inside | outside] source static local-ip global-ip

4. exit

5. show ip nat translations

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip nat [inside | outside] source static local-ip global-ip

Example:

Router(config)# ip nat inside source static 10.10.10.10 192.0.2.30

Enables static NAT.

Step 4 

exit

Example:

Router(config)# exit

Returns to privileged EXEC mode.

Step 5 

show ip nat translations

Example:

Router# show ip nat translations

(Optional) Displays active NATs.

Enabling the Preserve Port

This task is used for IPsec traffic using port 500 for the source and incoming ports. Perform this task to enable port 500 to be preserved for both source and incoming ports.

Restrictions

This task is required by certain VPN concentrators but will cause problems with other concentrators. Cisco VPN devices generally do not use this feature.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip nat service list access-list-number IKE preserve-port

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip nat service list access-list-number IKE preserve-port

Example:

Router(config)# ip nat service list 10 IKE preserve-port

Specifies a port other than the default port.

Disabling SPI Matching on the NAT Device or Changing the Default Port

SPI matching is used to establish VPN connections between multiple pairs of destinations. NAT entries are immediately placed in the translation table for endpoints matching the configured access list.

The generation of SPIs that are predictable and symmetric is enabled. SPI matching should be used in conjunction with NAT devices when multiple ESP connections across a NAT device are desired.

SPI matching is enabled by default for listening on port 2000. This task may be used to either change the default port or disable SPI matching.

Prerequisites

Cisco IOS XE software must be running on both the source router and the remote gateway enabling parallel processing.

Restrictions

SPI matching must be configured on the NAT device and both endpoint devices.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip nat service list access-list-number esp spi-match

4. no ip nat service list access-list-number esp spi-match

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip nat service list access-list-number esp spi-match

Example:

Router(config)# ip nat service list 10 esp spi-match

Specifies a port other than the default port.

This example shows how to enter ESP traffic matching list 10 into the NAT table, making the assumption that both devices are Cisco devices and are configured to provide matchable SPIs.

Step 4 

no ip nat service list access-list-number esp spi-match

Example:

Router(config)# no ip nat service list 10 esp spi-match

Disables SPI matching.

Enabling SPI Matching on the Endpoints

Perform this task to enable SPI matching on both endpoints.

Prerequisites

Cisco IOS XE software must be running on both the source router and the remote gateway enabling parallel processing.

Restrictions

SPI matching must be configured on the NAT device and both endpoint devices.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto ipsec nat-transparency spi-matching

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto ipsec nat-transparency spi-matching

Example:

Router(config)# crypto ipsec nat-transparency spi-matching

Enables SPI matching on both endpoints.

Configuring NAT Between an IP Phone and Cisco CallManager

This section describes configuring Cisco's SCCP for Cisco IP phone to Cisco CallManager communication. The task in this section configures NAT between an IP phone and Cisco CallManager.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip nat service skinny tcp port number

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip nat service skinny tcp port number

Example:

Router(config)# ip nat service skinny tcp port 20002

Configures the skinny protocol on the specified TCP port.

Configuration Examples for Using Application Level Gateways with NAT

This section provides the following configuration examples:

Example: Configuring IPsec ESP Through NAT

Example: Enabling the Preserve Port

Example: Enabling SPI Matching

Example: Configuring SPI Matching on the Endpoint Routers

Example: Configuring NAT Between an IP Phone and Cisco CallManager

Example: Configuring IPsec ESP Through NAT

The following example shows NAT configured on the router with a static route. NAT is configured as inside source static 1-to-1 translations.

ip nat pool outside 192.0.2.1 192.0.2.14 netmask 255.255.255.0
ip nat outside source list 1 pool mypool
access-list 1 permit 192.0.2.3 0.0.0.255
ip nat inside source static 192.0.2.23 192.0.2.22 vrf vrf1
ip nat inside source static 192.0.2.21 192.0.2.2 vrf vrf2

Example: Enabling the Preserve Port

The following example shows how to configure TCP port 500 of the third-party concentrator:

ip nat service list 10 ike preserve-port

Example: Enabling SPI Matching

The following example shows how to enable SPI matching. Access list 10 is configured:

ip nat service list 10 esp spi-match
access-list 10 permit 10.1.1.1

Example: Configuring SPI Matching on the Endpoint Routers

The following example show how to enable SPI matching on the endpoint routers:

crypto ipsec nat-transparency spi-matching

Example: Configuring NAT Between an IP Phone and Cisco CallManager

The following example shows how to configure the 20002 port of the Cisco CallManager:

ip nat service skinny tcp port 20002

Additional References

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

NAT commands: complete command syntax, command mode, defaults, usage guidelines, and examples

Cisco IOS IP Addressing Services Command Reference

Configuring NAT for IP Address Conservation

"Configuring NAT for IP Address Conservation" module

IP Addressing Services configuration tasks

Cisco IOS XE IP Addressing Services Configuration Guide

NAT and Firewall ALG support

NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers matrix

SIP Call Flows

"SIP Call Flows" document


Standards

Standard
Title

None


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

RFC 3515

The Session Initiation Protocol (SIP) Refer Method


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for Using Application Level Gateways with NAT

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.


Table 1 Feature Information for Using Application Level Gateways with NAT

Feature Name
Releases
Feature Information

NAT ALG—SIP REFER Method

Cisco IOS XE Release 3.2S

The NAT ALG—SIP REFER method supports two types of call transfers, unattended (blind) transfer and attended (consultative) transfer.

The following section provides information about this feature:

NAT ALG—SIP REFER Method

NAT ALG—SIP Trunking Support

Cisco IOS XE Release 3.2S

The NAT ALG—SIP Trunking support feature uses a local database to store all the media-related information within a SIP trunk. Call IDs of each call are used to index this local database.

The following section provides information about this feature:

NAT ALG—SIP Trunking Support

NAT Basic H.323 ALG Support

Cisco IOS XE Release 2.1

Cisco IOS XE NAT requires a variety of ALGs to handle Layer 7 protocol-specific services such as translating embedded IP addresses and port numbers in the packet payload and extracting new connection/session information from control channels. The H.323 ALG performs these specific services for H.323 messages.

The following section provides information about this feature:

NAT SCCP Video Support

NAT DNS ALG Support

Cisco IOS XE Release 2.1

Cisco IOS XE NAT supports translation of DNS packets.

The following section provides information about this feature:

NAT DNS ALG Support

NAT FTP ALG Support

Cisco IOS XE Release 2.1

Cisco IOS XE NAT supports translation of FTP packets.

The following section provides information about this feature:

NAT FTP ALG Support

NAT H.323 RAS

Cisco IOS XE Release 2.4

Cisco IOS XE NAT supports all H.225 and H.245 message types, including those sent in the Registration, Admission, and Status (RAS) protocol. RAS provides a number of messages that are used by software clients and VoIP devices to register their location, request assistance in call setup, and control bandwidth. The RAS messages are directed toward an H.323 gatekeeper.

The following section provides information about this feature:

NAT H.323 RAS

NAT ICMP ALG Support

Cisco IOS XE Release 2.1

Cisco IOS XE NAT supports translation of ICMP packets.

The following section provides information about this feature:

NAT ICMP ALG Support

NAT NetBIOS ALG Support

Cisco IOS XE Release 3.1S

Cisco IOS XE NAT provides Network Basic Input Output System (NetBIOS) message translation support.

This feature introduces the following new commands to display NetBIOS-specific information for a router: show platform hardware qfp [active | standby] feature alg statistics netbios.

The following section provides information about this feature:

NAT NetBIOS ALG Support

NAT NetMeeting Directory (LDAP)

Cisco IOS XE Release 2.4

Cisco IOS XE NAT provides ALG support for NetMeeting directory Lightweight Directory Access Protocol (LDAP) messages.

The following section provides information about this feature:

NAT NetMeeting Directory (LDAP)

NAT RCMD ALG Support

Cisco IOS XE Release 3.1S

Cisco IOS XE NAT provides remote command execution service (RCMD) message translation support.

This feature introduces the following new command to display RCMD-specific information for a router: show platform software trace message process qfp active.

The following section provides information about this feature:

NAT RCMD ALG Support

NAT RTSP ALG Support

Cisco IOS XE Release 3.1S

Cisco IOS XE NAT provides RTSP message translation support.

The following section provides information about this feature:

NAT RTSP ALG Support

NAT: SCCP for Video

Cisco IOS XE Release 2.4

Cisco IOS XE NAT provides Skinny Call Control Protocol (SCCP) message translation support.

The following section provides information about this feature:

NAT SCCP Video Support

NAT: SIP ALG Enhancement for T.38 Fax Relay

Cisco IOS XE Release 2.4.1

Cisco IOS XE NAT provides translation support for SIP ALG support of T.38 Fax Relay over IP.

NAT: SIP Extended Methods

Cisco IOS XE Release 2.4

Cisco IOS XE NAT supports extended methods for SIP.

The following section provides information about this feature:

NAT SIP Extended Methods

NAT Support of IP Phone to Cisco Call Manager

Cisco IOS XE Release 2.1

This feature adds NAT support for configuring Cisco's SCCP for a Cisco IP phone to Cisco CallManager communication

The following section provides information about this feature:

Configuring NAT Between an IP Phone and Cisco CallManager

NAT Support for IPsec ESP— Phase II

Cisco IOS XE Release 2.1

The NAT Support for IPsec ESP— Phase II feature provides support for Internet Key Exchange (IKE) and ESP without encapsulation in tunnel mode through a Cisco IOS XE router configured with NAPT.

The following sections provide information about this feature:

Configuring IPsec Through NAT

Example: Configuring IPsec ESP Through NAT

NAT Support for SIP

Cisco IOS XE Release 2.1
Cisco IOS XE Release 3.2S

NAT Support for SIP adds the ability to deploy Cisco IOS XE NAT between VoIP solutions based on SIP.

The following sections provide information about this feature:

NAT Support for SIP—Voice and Multimedia over IP Networks

NAT ALG—SIP Multiple Media Line Support

NAT TFTP ALG Support

Cisco IOS XE Release 2.1

Cisco IOS XE NAT supports translation of TFTP packets.

The following section provides information about this feature:

NAT TFTP ALG Support

NAT VRF-Aware ALG Support

Cisco IOS XE Release 2.5

Cisco IOS XE NAT supports virtual routing and forwarding (VRF) for protocols that have a supported ALG.

NAT vTCP ALG Support

Cisco IOS XE Release 3.1S
Cisco IOS XE Release 3.2S

Cisco IOS XE NAT provides vTCP support to handle TCP segmentation and reassembling for ALG.

The following sections provide information about this feature:

NAT vTCP ALG Support

NAT ALG—vTCP for SIP

Support for IPsec ESP Through NAT

Cisco IOS XE Release 2.1

IPsec ESP Through NAT feature provides the ability to support multiple concurrent IPsec ESP tunnels or connections through a Cisco IOS XE NAT device configured in Overload or PAT mode.

The following section provides information about this feature:

Configuring IPsec ESP Through NAT